@britt@akkartik There's a side effect here of Google's monopoly. Search+Chrome+Android means that regardless of whether https is necessary in a particular case, Google can effectively hide any site or source that doesn't use https. You can see that as a good thing or a bad thing. And you don't need tin-foil-hatage to see it. More likely is that Google will just do something, for reasons, and we'll just have to put up with it. No malice, just unforeseen consequences.

@jbond@britt Consider the example of mail standards. Google has done a bunch of stuff that is plausibly to address spam that has the side effect of making it much harder to get deliverability with a DIY mail server.

I've kinda assumed HTTPS was a stronger case than this, but Dave Winer is now giving me reason to put the two phenomena in the same category.

@akkartik@britt yup. I'm also just tired of the endless developer taxes on the small developer. I get it that any site big enough to have a two developer team should deal with cookies, GDPR, https, etc etc etc. But now I'm no longer paid to develop, I resent that I'm told I have to play along.

@jbond De-listing or aggressively demoting HTTP only sites in ranking seems like too heavy handed of an approach.

@akkartik I think there is something useful about telling people your blog is not encrypted, though it shouldn't be marked "dangerous" like submitting an unencrypted form. Whoever is sitting on the network can see that I'm going there which is a bit of my data, but also I can't know that the contents haven't been tampered with in transit. Seems tinfoil hat until you use hotel wifi.

@britt@jbond There's lots useful about https. But there's nothing useful about telling people that my blog is somehow dangerous when it has no data of theirs to secure.

Nobody's saying there's some grand conspiracy. It's just differential supervision once again. Security people have a tendency to ignore usability because it makes their job harder. Similarly, Google has a tendency to standardize all websites to be easier for *them* (i.e. Google Chrome) to manage.

@akkartik@britt@jbond Without content signature TLS provides your blog could indeed be dangerous to the visitor coming from public networks like sponsored or free WiFi: DNS poisoning, content injection, traffic redirection and other MITMs.

@dpwiz@akkartik@britt Blogs especially, but also information websites have a tendency to be long running and have embedded images inserted years (even decades) ago that are served as http. So at least some of the content ends up being mixed http / https. Which then throws security warnings. Actually fixing all this can be a major piece of work.

This page describes the mastodon.social instance - wondering what Mastodon is? Check out joinmastodon.org instead! In essence, Mastodon is a decentralized, open source social network. This is just one part of the network, run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!